[dns-operations] NSEC3
Roy Arends
roy at dnss.ec
Tue Jun 27 16:15:11 UTC 2006
On Jun 27, 2006, at 5:45 PM, Edward Lewis wrote:
> At 16:11 +0200 6/27/06, Roy Arends wrote:
>> On Jun 26, 2006, at 8:53 PM, Edward Lewis wrote:
>>> I was told [that] to switch between NSEC and NSEC3 I would need
>>> a completely
>>> different code base and would have to cut over all of my
>>> instances in
>>> a flash - not just zone data but name server software. To me,
>>> that's
>>> a high cost.
>>
>> I do not recall this.
>>
>> What I recall is that you indeed need new code to be able to support
>> NSEC3, surprise, surprise.
>>
>> But that you can gradually roll-over, not 'cut over all of my
>> instances in
>> a flash'.
>
> Along the line of being asked "why would you want to serve both
> NSEC and NSEC3 at the same time?" it was said that a server
> couldn't serve both up at the same time.
DNSSEC _responses_ to requests either contain NSEC or NSEC3 records.
This is per ZONE based, not per SERVER.
A NSEC3 capable server can thus serve both NSEC for 'example.biz' and
NSEC3 for 'example.com', if that box was authoritative for both.
> That's not the same question, but I was told that a NSEC3 capable
> authoritative server would not carry the NSEC code.
Whatever entity carries NSEC3 code will have to carry NSEC code.
> The rationale was that a server has to do very different processing
> for NSEC and NSEC3, so how would it choose the code path?
non sequitur
> This was said by at least one implementer in the room, probably
> without considering how it could be done.
I find that highly unlikely.
IIRC, every 'NSEC3 capable authoritative server' implementation that
was present in that room is capable of serving both NSEC and NSEC3,
with a granularity on a per zone basis.
I'd like that implementer to step forward, if he/she actually exists.
Roy
More information about the dns-operations
mailing list